From: Daniel Borkmann <daniel@iogearbox.net>
To: John Fastabend <john.fastabend@gmail.com>, ast@kernel.org
Cc: lmb@cloudflare.com, bpf@vger.kernel.org, jakub@cloudflare.com,
netdev@vger.kernel.org
Subject: Re: [bpf-next PATCH 2/3] bpf: sk_msg helpers for probe_* and *current_task*
Date: Thu, 14 May 2020 10:02:00 +0200 [thread overview]
Message-ID: <384e5835-a241-bc5d-9f3c-729aac4866f3@iogearbox.net> (raw)
In-Reply-To: <158939787911.17281.887645911866087465.stgit@john-Precision-5820-Tower>
On 5/13/20 9:24 PM, John Fastabend wrote:
> Often it is useful when applying policy to know something about the
> task. If the administrator has CAP_SYS_ADMIN rights then they can
> use kprobe + sk_msg and link the two programs together to accomplish
> this. However, this is a bit clunky and also means we have to call
> sk_msg program and kprobe program when we could just use a single
> program and avoid passing metadata through sk_msg/skb, socket, etc.
>
> To accomplish this add probe_* helpers to sk_msg programs guarded
> by a CAP_SYS_ADMIN check. New supported helpers are the following,
>
> BPF_FUNC_get_current_task
> BPF_FUNC_current_task_under_cgroup
> BPF_FUNC_probe_read_user
> BPF_FUNC_probe_read_kernel
> BPF_FUNC_probe_read
> BPF_FUNC_probe_read_user_str
> BPF_FUNC_probe_read_kernel_str
> BPF_FUNC_probe_read_str
Given the current discussion in the other thread with Linus et al, please
don't add more users for BPF_FUNC_probe_read and BPF_FUNC_probe_read_str
as I'm cooking up a patch to disable them on non-x86, and cleanups from
Christoph would make them less efficient than the *_user/_kernel{,_str}()
versions anyway, so lets only add the latter.
Thanks,
Daniel
next prev parent reply other threads:[~2020-05-14 8:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-13 19:23 [bpf-next PATCH 0/3] bpf: Add sk_msg helpers John Fastabend
2020-05-13 19:23 ` [bpf-next PATCH 1/3] bpf: sk_msg add some generic helpers that may be useful from sk_msg John Fastabend
2020-05-14 6:58 ` Yonghong Song
2020-05-13 19:24 ` [bpf-next PATCH 2/3] bpf: sk_msg helpers for probe_* and *current_task* John Fastabend
2020-05-14 7:21 ` Yonghong Song
2020-05-14 13:30 ` John Fastabend
2020-05-14 8:02 ` Daniel Borkmann [this message]
2020-05-13 19:24 ` [bpf-next PATCH 3/3] bpf: sk_msg add get socket storage helpers John Fastabend
2020-05-14 7:26 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=384e5835-a241-bc5d-9f3c-729aac4866f3@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=lmb@cloudflare.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.